The United States’ adversaries see cyber warfare as a potential American vulnerability in a military engagement, the Pentagon’s number two civilian told the House Armed Services Committee Wednesday.

Deputy Defense Secretary Bob Work said, “In terms of deterrence we are not where we need to be” as a nation or a department. In answer to a question, he said many DOD “systems were not built” to meet today’s threat. The same holds true for installations, Terry Halvorsen, acting DOD chief of information, testified.

Adm. Michael Rogers, commander of Cyber Command, added, “We are being challenged as never before.” In cyber, he identified Russia as a peer competitor with the United States and China and other nations, such as Iran and North Korea, actively developing a broad range of cyber capabilities.

He said his command “is trying to overcome decades of investment” decisions to build up resiliency and redundancy in DOD capabilities.

Rogers said in answer to a question that his greatest concerns were cyber being used to seriously damage or destroy critical infrastructure, shifting intrusions from stealing of information to manipulating data, and terrorist groups using the Internet as an offensive weapon.

At a Senate hearing on Tuesday, James Clapper, director of national intelligence, said, “What we could expect next is data manipulation, which then calls into question the integrity of the data [from financial transactions to the power grid, etc.], which in many ways is more insidious than the attacks we’ve suffered thus far.”

For Work and Rogers, this was the second day of Capitol Hill hearings, having testified before the Senate Armed Services Committee on Tuesday. Clapper did not testify at the House hearing.

Attribution of where a cyber attack comes from, conducted by whom on whose command remains a challenge.

The command is “improving its ability to identify who did it,” Rogers said. Several times during the hearings, he and Work cited the success in identifying North Korea as the instigator of the attack on Sony Entertainment last year and Iran as the source of several attacks since 2012 on the financial sector.

While the number of intrusions is rising overall, Rogers said incidents involving Pyongyang and Tehran have dropped off because of the American response.

But as to what constitutes a cyber act of war, he said Tuesday, “We’re still working our way through it.”

Work and Rogers said at both hearings that each attack or intrusion would be looked at individually to evaluate damage and possible response—from criminal indictments to economic sanctions to military action.

For deterrence to be effective, “we have to clearly articulate what is acceptable and what is not acceptable,” Rogers said Tuesday.

At the Senate hearing, Clapper said, “We’re sort of in the Wild West here with cyber, where there are no limits.” He said he was “somewhat of a skeptic” when it comes to China living up to its agreement with the United States that neither country would engage in corporate espionage. “We’re in a trust but verify mode.”

Work termed the agreement as “a confidence-building measure.”

On the cyber-theft of more than 20 million files from the Office of Personnel Management, Clapper said, “We, too, practice cyber espionage.” He added, “Think about the old saw of people who live in glass houses.”

Sen. John McCain (R-Ariz.) responded, “So it’s OK for them [the Chinese] to steal our secrets that are most important because we live in a glass house.”

Clapper said that was not what he meant. “I’m just saying that both nations engage in this.”

Cooperation between the Pentagon and the private sector, especially in improving security in financial matters, and contractors has improved, Work and Rogers told the committees. Even with increased sharing, Rogers told the Senate panel when it comes to cyber security with contractors “we’re clearly not where we want to be.”

But when asked about a private company launching “a hack back” attack against a suspected intruder, Rogers warned that corporations and the government needed to be “very careful about going down this road.” Work said any “hack back” could bring on “second, third and fourth order of [unanticipated] effects.”

Work said Tuesday, “I think we were caught by surprise” on the agreement among Russia, Syria, Iran and Iraq to share intelligence on fighting the Islamic State. On Wednesday, Russian military jets struck targets in Syria. News reports said the United States was given an hour’s notice before the attack.

To counter the Islamic State’s success in recruiting foreign fighters, now estimated to be about 30,000, Rogers said, “We’ve got to be willing to fight them in that [social media] domain.”

About John Grady

John Grady, a former managing editor of Navy Times, retired as director of communications for the Association of the United States Army. His reporting on national defense and national security has appeared on Breaking Defense, GovExec.com, NextGov.com, DefenseOne.com, Government Executive and USNI News.